Register now or log in to join your professional community.
Risk planning
Risk identification
Risk quantitative
Risk qualitative
Risk response
Identify, assess, plan and implement
Assalamu AlaikumIt's a very broad subject Mr. Sarfaraz. At the basic level, Risk management is a comprehensive process that includes:
1. Defining the scope - within which risks must be identified, assessed, responded and monitored
2. Assess the risk - Risks within the scope are assessed and classified according to their impacts. You can use different ‘methodologies’ for Risk Assessment and they follow two approaches:1. Quantitative2. Qualitative(refer to ‘Guide for Conducting Risk Assessments’2.3.2)
3. Risk Response - There are four ways to respond to an assessed risk
1. Treat - the risk by implementing necessary controls
2. Terminate – whatever that’s causing the risk because the other three options are not feasible
3. Transfer – the risk to a third party. e.g., Insurance Companies
4. Tolerate – the risk; move on doing nothing about it, hoping of the best.
4. Monitor - the risk so that they have less chance of materializing or that you are prepared if they do. In Risk Management philosophy risk is only mitigated never eliminated. So, even after you ‘treat’ a risk, ‘Residual Risk’ may remain.
Please use the following links. They are bit dry, but excellent sources of information. They are also adopted worldwide for Information & IT Security
Managing Information Security Risk http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf
Guide for Conducting Risk Assessmentshttp://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf
Guide for Applying the Risk Management Framework to Federal Information Systemshttp://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf
http://www.southwales-fire.gov.uk/English/aboutus/fireservicepublications/Documents/Risk%20Management%20Guidelines.pdf
Hope this helps. Good Luck.
regards,
Shereef
